← Back to Skills Marketplace
tinkle-community

NOFX AI Trading

by tinkle-community · GitHub ↗ · v1.1.0
cross-platform ⚠ suspicious
1172
Downloads
0
Stars
5
Active Installs
2
Versions
Install in OpenClaw
/install nofx
Description
NOFX AI Trading OS integration - crypto market data, AI trading signals, strategy management, trader control, and automated reporting. Use when working with...
Usage Guidance
What to consider before installing: - This package expects and uses an API key (NOFX_API_KEY) and a config file (default: ~/clawd/skills/nofx/config.json) but the registry metadata does not declare those requirements — do not assume keys are optional. Provide only least-privilege exchange keys (disable withdrawals, restrict permissions and IP whitelist). - The skill’s browser automation expects a profile named 'clawd' (logged-in session). Granting the agent/browser access to a profile can expose other site sessions/cookies; only use a dedicated, isolated browser profile and don't reuse your personal browser profile. - The scripts call external endpoints at nofxos.ai and include examples to post to Telegram/Discord/Slack. Confirm you trust those endpoints and any webhook URLs you configure. - The docs show running remote install scripts via curl|bash from GitHub raw — review those scripts before executing; avoid blind 'curl | bash'. - The shipped shell scripts depend on curl and jq but the metadata does not list required binaries; ensure you inspect and run scripts locally in an isolated environment before allowing the agent to run them. - If you proceed: review config.json and scripts manually, store API keys in a secure secret store (or environment variables with least privilege), use test/demo exchange keys first, and be prepared to rotate/revoke keys if anything suspicious occurs. - If you want a safer assessment, provide the install.sh referenced by the docs or confirm whether the agent will be given access to your browser profile or filesystem; that information would change the risk assessment.
Capability Analysis
Type: OpenClaw Skill Name: nofx Version: 1.1.0 The skill is classified as suspicious due to significant vulnerabilities, specifically the risk of shell injection and API key exposure. The `scripts/nofx-api.sh` script directly embeds unsanitized arguments (e.g., `symbol`, `limit`, `duration`) into `curl` commands, creating a potential remote code execution (RCE) vulnerability if an attacker can control these inputs. Additionally, the script passes the API key as a URL query parameter (`?auth=$API_KEY`), which is less secure than using an Authorization header and increases the risk of the key being logged or exposed. While the skill's stated purpose is legitimate and there's no evidence of intentional malice, these critical vulnerabilities warrant a 'suspicious' classification.
Capability Assessment
Purpose & Capability
The name/description (AI trading, strategy management, browser automation) align with the included docs and scripts: API calls to nofxos.ai, browser automation guidance, strategy schemas, and trader control are present and coherent. However, the skill metadata declares no required env vars / config paths / binaries while the shipped scripts and SKILL.md expect a local config file, an API key, and a browser profile — a proportionality/documentation mismatch.
Instruction Scope
Runtime instructions and reference docs instruct the agent to: (1) read a local workspace config (skills/nofx/config.json or $HOME/clawd/skills/nofx/config.json) containing API keys, (2) use a browser profile named 'clawd' for automation (implying access to logged-in sessions/cookies), and (3) send notifications via external channels (Telegram/Discord/Slack) — these actions access sensitive local secrets and session data and are not limited to just calling the NOFX API. The SKILL.md and references also include 'curl | bash' install examples (downloading and executing remote scripts) and broad guidance such as 'use browser tool with profile: clawd' which could enable reading other web sessions if misused.
Install Mechanism
There is no formal install spec (instruction-only), so nothing is automatically written by the platform. The documentation includes commands that fetch and run scripts from raw GitHub URLs (curl -fsSL https://raw.githubusercontent.com/NoFxAiOS/nofx/main/install.sh | bash) and downloads docker-compose YAML from GitHub — common for open-source projects but higher risk if you blindly execute remote install scripts without review.
Credentials
Although registry metadata lists no required env vars or config paths, the shipped scripts and docs clearly expect: NOFX_API_KEY (or a config.json with api_key), NOFX_CONFIG (optional override), and a browser_profile (clawd). The scripts use curl and jq (external binaries) but these are not declared. The skill therefore expects access to sensitive credentials and a browser profile even though it does not declare them — this is a notable mismatch and a potential exfiltration vector if the agent/browser tool has broad access.
Persistence & Privilege
The skill is not always-included and does not request elevated platform privileges. It does not claim to modify other skills or system-wide settings. Autonomous invocation is enabled (platform default), which increases blast radius if the skill is granted secrets; that combination with the other concerns is why caution is recommended.
How to Use
  1. Make sure OpenClaw is installed (local or Docker)
  2. Run the install command in chat: /install nofx
  3. After installation, invoke the skill by name or use /nofx
  4. Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.1.0
Internationalized: all content translated to English
v1.0.0
Initial release: Complete NOFX AI Trading OS integration
Metadata
Slug nofx
Version 1.1.0
License
All-time Installs 5
Active Installs 5
Total Versions 2
Frequently Asked Questions

What is NOFX AI Trading?

NOFX AI Trading OS integration - crypto market data, AI trading signals, strategy management, trader control, and automated reporting. Use when working with... It is an AI Agent Skill for Claude Code / OpenClaw, with 1172 downloads so far.

How do I install NOFX AI Trading?

Run "/install nofx" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.

Is NOFX AI Trading free?

Yes, NOFX AI Trading is completely free (open-source). You can download, install and use it at no cost.

Which platforms does NOFX AI Trading support?

NOFX AI Trading is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).

Who created NOFX AI Trading?

It is built and maintained by tinkle-community (@tinkle-community); the current version is v1.1.0.

More Skills
self-improving agent
Captures learnings, errors, and corrections to enable continuous improvement. Use when: (1) A command or operation fails unexpectedly, (2) User corrects Clau...
⬇ 463283 · by pskoett
Skill Vetter
Security-first skill vetting for AI agents. Use before installing any skill from ClawdHub, GitHub, or other sources. Checks for red flags, permission scope, and suspicious patterns.
⬇ 259410 · by spclaudehome
Polymarket
Query Polymarket prediction markets. Check odds, find trending markets, search events, track price movements.
⬇ 232503 · by joelchance
Self-Improving + Proactive Agent
Self-reflection + Self-criticism + Self-learning + Self-organizing memory. Agent evaluates its own work, catches mistakes, and improves permanently. Use when...
⬇ 200423 · by ivangdavila
Github
Interact with GitHub using the `gh` CLI. Use `gh issue`, `gh pr`, `gh run`, and `gh api` for issues, PRs, CI runs, and advanced queries.
⬇ 191113 · by steipete
ontology
Typed knowledge graph for structured agent memory and composable skills. Use when creating/querying entities (Person, Project, Task, Event, Document), linkin...
⬇ 190156 · by oswalpalash

💬 Comments